Controls monitoring helps with governance, risk and compliance

By Marcia Savage, Features Editor, Information Security 21 May 2009 | SearchFinancialSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A technology that monitors ERP and financial application transaction controls is an emerging tool in the governance, risk and compliance (GRC) market, according to Gartner.

SearchFinancialSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Continuous controls monitoring for transactions can help lower compliance costs by eliminating a lot of manual sampling of transactions and improve financial governance and operational performance, Gartner analysts Paul Proctor and French Caldwell wrote in a report earlier this year. Continuous controls monitoring for transactions, they said, was the "next frontier for GRC automation."

Auditors use the technology to verify that controls are working inside of ERP systems, Proctor said in an interview. For example, a company may require two signatures on a check for more than $50,000; the control to enforce that policy may be in the ERP system or it may just be a procedural control. Continuous controls monitoring for transactions can help auditors verify the control in the system is working properly, he said. Management, meanwhile, can use the technology to catch accidental or fraudulent duplicate payments.

"The whole idea of continuous controls monitoring is that we're watching these things on an ongoing basis," Proctor said.

Although the technology has been around for a while, an organization needs to be at a higher level of maturity to have interest in it, he said. "It's not a big market yet, but organizations are moving towards being more proactive and they're always improving their maturity so I would call this 'the future', not 'the today'."

San Francisco-based Union Bank then may be a little ahead of the curve. The bank, which has more than 10,000 employees and 321 branch offices, started implementing continuous controls monitoring as part of its audit program about six years ago, said Dave Hanson, professional practices manager at Union Bank.

"The idea was to be more responsive to the risk environment at the bank," he said. "The initial implementation was to look at risk factors we thought might be indicators of what was happening and might drive where our audit work should be going."

Union Bank uses software from Vancouver, British Columbia.-based ACL Services Ltd., which helps auditors take data from completely different systems to compare data and develop reports, Hanson said. The software's flexibility helps auditors find issues quickly, he said.

For example, ACL makes it easy for bank auditors to take all the payroll checks issued during the period under review and analyze the data for duplicate transactions, said Stephen Sinclair, audit relationship manager at Union Bank.

The software is useful in conducting "database reconnaissance," and helps auditors quickly direct their focus on anomalies, said Shane Schultz, computer-assisted audit techniques applications leader at the bank. For instance, an analysis of fee reversals revealed control weaknesses; some customer deposits were erroneously coded as a fee reversal.

"We plowed through two billion transactions and identified customers where it looked like there were more fees reversed than fees collected… We were able to bring that to management's attention," Schultz said.

ACL also helps monitor possible employee fraud by allowing the bank to link suspicious deposit account activity to employees via addresses and phone numbers, Hanson said. Those "fuzzy logic" capabilities also are beneficial for Bank Secrecy Act compliance, Sinclair said. The BSA includes requirements to report transactions involving foreign consulates; the bank has coding to identify high-risk accounts, but with ACL, it was able to compare a list of foreign consulate employees and addresses to its customer database and identify accounts that weren't properly coded, he said.

"The fuzzy logic capabilities facilitate matching addresses that may not be character for character the same," he said.

Proctor said ACL takes more of an auditor perspective to CCM-T. Another vendor, Atlanta-based Oversight Systems Inc., takes more of the business management approach, he said. Other vendors in the space include Oracle, SAP, Approva Corp., Security Weaver, and Infogix Inc., according to Gartner.

Tags: Financial transaction protocols and security,  Risk management frameworks, metrics and strategy,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Financial transaction protocols and security FDIC: Educate business customers about the need for security Financial institutions reported more suspected fraud in 2008 Identity management for financial firms in turbulent times Diebold ATMs in Russia targeted with malware How to communicate the value of security controls for online transactions Mobile payment adoption risks IBM USB banking device stops keyloggers, malware Community banks to increase security spending, survey finds Protecting third party processes on all levels Case study: How outsourcing services enable PCI DSS compliance Risk management frameworks, metrics and strategy Vendor risk management: process and documentation How to manage security risks in vendor contracts An advancement in GRC Advocacy group looks to foster trust in foreign service providers Using an information security council Information security governance using a risk-based approach Security on the street with SearchFinancialSecurity.com: Risk management Strategic metrics for information security at financial services firms Metrics don't truly quantify information risk Financial Information Security Decisions 2008: Presentation downloads

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CTCI (Computer-to-computer interface)  (SearchFinancialSecurity.com) DROP (delivery of real-time execution information protocol)  (SearchFinancialSecurity.com) FIX protocol  (SearchFinancialSecurity.com) ITCH  (SearchFinancialSecurity.com) OTTO protocol  (SearchFinancialSecurity.com) OUCH protocol  (SearchFinancialSecurity.com) QIX  (SearchFinancialSecurity.com) RASHport  (SearchFinancialSecurity.com) remote deposit capture (RDC)  (SearchFinancialSecurity.com) SAML  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary